The Pavlovian yes box

In the technology field we like to "train" people how to do things. But many people do not understand the difference between training and education. To educate someone means that they have an understanding of how to perform a task and to understand why it works. To train someone on a subject only gives them part of that equation. A person who has been trained on a subject only knows a process to accomplish a task but does not know how or why that process works.

For years, Internet technology has trained people to use the Internet in a certain way. We train people to break up the search queries into key words instead of whole sentences. We train people to "Google" it rather than to fully research a topic using traditional library media or trusted resources. And finally we train people to click on "YES" when any question is presented to them when they click on a link.

So when Microsoft released Internet Explorer 8, help-desk's around the world were deluged with angry calls about websites which suddenly stopped working. The problem was that Microsoft, rather than passively continuing its part in training users to press "YES" to continue, now requires a "NO" to continue.

My hope is that people actually are forced to read what they are agreeing to. And when they do finally read it, they start asking very important questions like what they are agreeing to exactly. The most common issue is with websites is when they mix secured and unsecured content. To most people so long as only their private information is being sent on the encrypted channel, they are satisfied. However the problem really lies with authentication, most authentication uses a session ID variable which is given to the user with every transaction. Unless special measures are taken this session ID can leak out of the secured session and become available to someone who is eavesdropping. That person can then usurp the connection and pretend to be the user.

This is not all the users' fault of course; the developers take the blame too. It isn't until recently that people have started to do exactly what they are supposed to do and complain and make sure that all of their secured website links are SSL aware. Popular web applications like Wordpress are pretty dumb when it comes to this issue; there are of course plug-ins which patch this issue, as well as some all or nothing solutions which force everything to be SSL but nothing very elegant. The real issue with web apps is when dealing with plug-ins and 3rd party software which are not forced to follow any convention when creating content or linking.

Other web security related articles at H-i-R:

• Securing PHP Web Applications
• Introduction to SNORT IDS